Jamf Nation Community

Yes, those users are added to each client via the plugin. They can
administer those machines with their AD accounts. However, I need those
users to be able to access a client with ARD Admin using that account and
not a local. Have you done this?

John McLaughlin
Technical Support Specialist
Newton Public Schools

If the account exists on the machine you can just add them to the admin group

You can also use kickstart command to specify which user has ARD access. In the beginning of our 1:1 we actually made an ARD Admin OD group, because someone wanted non IT staff to have remote access as a learning tool in the schools. It was such a hassle (this was 10.4 server) that we scrapped it and just created a local admin account for specific ARD access. Then if I had to nuke it because of security leaks, it was fine because it's main purpose was for non IT staff to have ARD access. At the time of our initial roll out, I had about 10 or so Apple Engineers and 2 Apple Project Managers out here working with us, and it did not function properly at all. So, I (was a total Casper Noob at the time) with the power of google figured out to write a script to add an account and add it to ARD access and set privs, and then pushed it out via Casper.

Now, I do it all via post image scripts, here is the snip from my script that kick starts ARD

# ensure remote desktop is enabled for our local admin accounts #

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate

# now set access to remote desktop, refer to admin 1 and admin 2 from above

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users $admin1_short,$admin2_short -access -on -privs -all

/bin/echo "ARD client configured"

I know this doesn't quite answer your question, but this was my way of doing it here where I work. I have talked with a few contractors locally here that do tons of Apple enterprise work and they could never get OD or AD users to work with ARD admin and almost always go the local account way. If you get it working, please post it and I will very happily copy/paste it into my tech notes folder.

-Tom

?xml version="1.0" encoding="ISO-8859-1"?>

Correct, due to the complexity of the OD groups being given just ARD
access we decided to make a universal account called "ard" and gave it a
generic password. It is given to those that need ARD access outside IT
and if it gets compromised I use Casper to nuke the account. Every
person knows that we will nuke the account too, as it has already
happened.

To utilize ARD with an AD account, you need to create specific AD groups depending upon the level of ARD admin access
you wish to provide.
The ARD admin manual provides a chart as to the AD groups needed and what function they provide. I don't have that with me right now or I'd quote the page number.

One thing I would mention as another possibility is to use Casper Remote.
Define account access to those AD users in the JSS for using Casper Remote and provide them with a copy of it. You could define something as simple as giving them Observe or Control access to another computer but deny any other functionality.

One of the many benefits of this is that the actions are all logged within the JSS.

Lance

While ARD is launched, select Help menu --> Remote Desktop Manual. See
On 6/21/10 10:34 AM, "Lance Ogletree" <Lance.Ogletree at jamfsoftware.com> wrote:
page 70.

Works a treat!

-- 

William Smith
Technical Analyst
MCS IT, Saint Paul
(651) 632-1492

Lance, Thanks for the info but this is what I currently have been trying to
work with. I guess I'm having difficulty understanding how to configure
the clients for this use if I'm not using OD to create these groups. Am I
missing this? How does one use Casper and AD to fascillitate this?

John McLaughlin
Technical Support Specialist
Newton Public Schools

I took a quick peek at it, and it has definitely changed since I last
tried this in OD. I noticed a new group in directory services, there is
a whole bunch of them:

xs001-casper:/ root# dscl . list /Groups | grep ard _ard com.apple.local.ard_admin com.apple.local.ard_interact com.apple.local.ard_manage com.apple.local.ard_reports xs001-casper:/ root#

so I decided to read what one says....

xs001-casper:/ root# dscl . read /Groups/com.apple.local.ard_admin AppleMetaNodeLocation: /Local/Default GeneratedUID: D6F91EF5-A568-430C-850E-D92234ECF8F3 NestedGroups: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050 PrimaryGroupID: 502 RecordName: com.apple.local.ard_admin RecordType: dsRecTypeStandard:Groups

No time to dig any deeper but it looks like Apple added this support in
sometime between 10.4 and 10.5.8 but not sure when they did. When I
first tried it we were on 10.4 server and it was horrid

Lance, Thanks for your and everyone's help. I found the same info and have
begun testing with a client installer. From the looks of the postflights,
all you need to do is configure kickstart with the options "-setdirlogins"
and "-dirlogins yes" but it's still not working right now. I'll post any
solution I come up with.

John McLaughlin
Technical Support Specialist
Newton Public Schools

I believe we may have AD/ARD working. We've created the 4 groups the ARD
manual references (ard_admin, ard_manage, ard_interact, ard_reports) and
we've assigned our AD groups to them. Then, we used the kickstart options
"-activate -configure -clientopts -setdirlogins -dirlogins yes" in a
script. I've got some more testing to do but it appears to work without
OD nesting.

John McLaughlin
Technical Support Specialist
Newton Public Schools

I believe you will need to restart the ARD service as well.

John McLaughlin
Technical Support Specialist
Newton Public Schools